Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-212 (敏感数据的不恰当跨边界移除) — Vulnerability Class 47

47 vulnerabilities classified as CWE-212 (敏感数据的不恰当跨边界移除). AI Chinese analysis included.

CWE-212 represents a critical data handling weakness where applications fail to sanitize sensitive information before storing or transmitting resources. This flaw typically allows attackers to exploit residual data within discarded documents, network packets, or database entries, leading to unauthorized access to credentials, personal identifiable information, or proprietary secrets. Developers often overlook this risk when reusing memory buffers or neglecting to clear temporary files, assuming that overwriting data is sufficient. To mitigate this vulnerability, engineers must implement rigorous data sanitization protocols, ensuring that all sensitive fields are explicitly cleared or overwritten before resource deallocation. Additionally, employing secure coding standards that enforce strict data lifecycle management and utilizing cryptographic erasure techniques can prevent accidental exposure. Regular code reviews focusing on data flow and memory management are essential to identify and rectify these oversights, thereby safeguarding confidential information against leakage.

MITRE CWE Description
The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors. Resources that may contain sensitive data include documents, packets, messages, databases, etc. While this data may be useful to an individual user or small set of users who share the resource, it may need to be removed before the resource can be shared outside of the trusted group. The process of removal is sometimes called cleansing or scrubbing. For example, a product for editing documents might not remove sensitive data such as reviewer comments or the local pathname where the document is stored. Or, a proxy might not remove an internal IP address from headers before making an outgoing request to an Internet site.
Common Consequences (1)
ConfidentialityRead Files or Directories, Read Application Data
Sensitive data may be exposed to an unauthorized actor in another control sphere. This may have a wide range of secondary consequences that will depend on what data is exposed. One possibility is the exposure of system data - such as file l…
Mitigations (5)
RequirementsClearly specify which information should be regarded as private or sensitive, and require that the product offers functionality that allows the user to cleanse the sensitive information from the resource before it is published or exported to other parties.
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
Implementation, OperationSome tools can automatically analyze documents to redact, strip, or "sanitize" private information, although some human review might be necessary. Tools may vary in terms of which document formats can be processed. When calling an external program to automatically generate or convert documents, invoke the program with any available options that avoid generating sensitive metada…
ImplementationUse naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
Effectiveness: Defense in Depth
ImplementationAvoid errors related to improper resource shutdown or release (CWE-404), which may leave the sensitive data within the resource if it is in an incomplete state.
Examples (1)
This code either generates a public HTML user information page or a JSON response containing the same user information.
// API flag, output JSON if set $json = $_GET['json'] $username = $_GET['user'] if(!$json) { $record = getUserRecord($username); foreach($record as $fieldName => $fieldValue) { if($fieldName == "email_address") { // skip displaying user emails continue; } else{ writeToHtmlPage($fieldName,$fieldValue); } } } else { $record = getUserRecord($username); echo json_encode($record); }
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2022-2818 Improper Removal of Sensitive Information Before Storage or Transfer in cockpit-hq/cockpit — cockpit-hq/cockpit 9.8 Critical2022-08-15
CVE-2022-1893 Improper Removal of Sensitive Information Before Storage or Transfer in polonel/trudesk — polonel/trudesk 4.6 Medium2022-05-31
CVE-2022-30618 Strapi 安全漏洞 — Strapi 7.5 -2022-05-19
CVE-2022-30617 Strapi 安全漏洞 — Strapi 8.8 -2022-05-19
CVE-2022-1650 Improper Removal of Sensitive Information Before Storage or Transfer in eventsource/eventsource — eventsource/eventsource 8.1 High2022-05-12
CVE-2022-24798 Insufficient password hash filtering in some IRRd queries and exports — irrd 7.5 High2022-03-31
CVE-2022-0536 Improper Removal of Sensitive Information Before Storage or Transfer in follow-redirects/follow-redirects — follow-redirects/follow-redirects 2.6 Low2022-02-09
CVE-2022-23605 Expired Ephemeral Messages not reliably removed in wire-webapp — wire-webapp 4.4 Medium2022-02-04
CVE-2022-0355 Improper Removal of Sensitive Information Before Storage or Transfer in feross/simple-get — feross/simple-get 8.8 High2022-01-26
CVE-2020-14301 Red Hat libvirt 信息泄露漏洞 — libvirt 6.5 -2021-05-27
CVE-2020-25635 Red Hat Ansible和playbook 安全漏洞 — Community Collections 5.0 Medium2020-10-05
CVE-2020-14370 Docker 信息泄露漏洞 — podman 5.3 -2020-09-23
CVE-2020-15094 RCE in Symfony — symfony 8.0 High2020-09-02
CVE-2018-6337 Facebook HHVM和folly library 安全漏洞 — HHVM 7.5 -2018-12-31
CVE-2018-5559 Rapid7 Komand 安全漏洞 — Komand 2.7 -2018-11-28
CVE-2017-15113 Red Hat oVirt Engine 信息泄露漏洞 — ovirt-engine 5.9 -2018-07-27
CVE-2018-1062 Red Hat oVirt 安全漏洞 — oVirt 4.4 -2018-03-06

Vulnerabilities classified as CWE-212 (敏感数据的不恰当跨边界移除) represent 47 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.